- Feb 20

Latest Exchange vulnerability not serious, but a warning for customers

A typical NTLM pass-the-hash attack, this one from a similar (last year's) Exchange vulnerability. Source: Microsoft

The latest Microsoft Exchange vulnerability (CVE-2024-21410) is being exploited in the wild. Yet it is not that easily exploitable and not really a new development.

It is however a reminder you should migrate to a managed SaaS offering for your e-mail and collaboration infrastructure (Microsoft or not).

In the Adriatics region, a quick internet scan reveals thousands of Exchange servers are laying around publicly exposed, surely an attractive target for future attacks.

But why is this vulnerability not (yet) that serious? 2 reasons:

The vulnerability requires first enticing for ex. vulnerable Outlook users to click on a link that would relay a credential to the attacker (NTLM hash). This is a widely used technique called NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate to Microsoft apps as the targeted user. It also means the attack is not possible without some kind of user interaction, which makes it less attractive for threat actors. This is in stark contrast to for ex. the ProxyNotShell Exchange vulnerabilities from 2022 which enabled ransomware operators to automatically take over servers (Rackspace Exchange catastrophic failure was a notable example, see here).
Second, the vulnerability does not directly enable Windows OS system access and server takeover, but it will allow the attacker to access the affected user's data on Exchange and other Microsoft applications within an organization, and possibly pivot to other elements of the attack surface.

Microsoft has been providing mitigation for NTLM relay attacks in general since at least 2022, as they've seen many threat actors leveraging them (see this).

So the latest vulnerability is not a novelty, but rather a reminder of NTLM pass-the-hash attacks being increasingly leveraged together with Exchange.

It's also a warning you should migrate to a SaaS offering (Microsoft or not), to avoid the Rackspace type of disaster, which resulted in permanent loss of access to email data for Rackspace customers (more here).